CN105739299B - Control device based on two-by-two-out-of-two safety redundancy system - Google Patents
Control device based on two-by-two-out-of-two safety redundancy system Download PDFInfo
- Publication number
- CN105739299B CN105739299B CN201610287247.5A CN201610287247A CN105739299B CN 105739299 B CN105739299 B CN 105739299B CN 201610287247 A CN201610287247 A CN 201610287247A CN 105739299 B CN105739299 B CN 105739299B
- Authority
- CN
- China
- Prior art keywords
- unit
- output
- communication
- power supply
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24182—Redundancy
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24186—Redundant processors are synchronised
Abstract
The invention discloses a control device based on a two-by-two-out-of-two safety redundancy system, which comprises a first two-out-of-two system, a second two-out-of-two system, a system redundancy power supply and a system switching device, wherein the first two-out-of-two system is connected with the second two-out-of-two system; the system redundant power supply respectively supplies power to the first two-out-of-two system, the second two-out-of-two system and the system switching device; the system switching device can switch the operation state of the first two-out-of-two system and the second two-out-of-two system. The control device based on the two-by-two-out-of-two safety redundancy system has high availability, reliability and safety.
Description
Technical Field
The invention relates to the technical field of communication safety control, in particular to a control device based on a two-by-two safety redundancy system.
Background
The safety control platform is an important processing platform in each industrial field and has basic functions of signal input, logic processing, signal output and the like. The requirements of the safety control platform on reliability, availability, maintainability and safety are all in accordance with relevant regulations in EN 50126.
Disclosure of Invention
The invention provides a control device based on a two-by-two safety redundancy system, which has high reliability and strong usability.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a control device based on a two-by-two-out-of-two safety redundancy system comprises a first two-out-of-two system, a second two-out-of-two system, a system redundancy power supply and a system switching device;
the system redundant power supply supplies power to the first two-out-of-two system, the second two-out-of-two system and the cutting device;
the system switching device can switch the operation state of the first two-out-of-two system and the second two-out-of-two system.
Preferably, the switching is switched to automatic switching, that is, the master system is automatically selected according to the operating conditions of the two-out-of-two systems.
Preferably, the first binary system or the second binary system includes a first safety power supply, a first main control unit, a second main control unit, a first communication unit, a second communication unit, a first acquisition unit, a second acquisition unit, a first output unit, a second output unit, and a first recording unit;
the first safety power supply provides independent logic power supplies for the first main control unit, the first communication unit, the first acquisition unit and the first output unit; the first safety power supply provides independent logic power supplies for the second main control unit, the second communication unit, the second acquisition unit and the second output unit;
the first main control unit is respectively in communication connection with the first communication unit, the first acquisition unit, the first output unit and the first recording unit; the first communication unit, the first acquisition unit, the first output unit and the first recording unit form a first channel of the first binary system;
the second main control unit is respectively in communication connection with the second communication unit, the second acquisition unit, the second output unit and the first recording unit; the second communication unit, the second acquisition unit, the second output unit and the first recording unit form a second channel of the first binary system.
Preferably, the system also comprises a communication interface A, a communication interface B, an output interface A and a collection interface A;
the communication interface A is connected with the first communication unit; the communication interface B is connected with the second communication unit; the output interface A is connected with the first output unit and the second output unit; the acquisition interface A is connected with the first acquisition unit and the second acquisition unit.
Preferably, the first safety power supply receives dynamic signals output by the first main control unit and the second main control unit, and correspondingly supplies power to the communication interface a, the communication interface B and the output interface a;
and when the transceiving time of the communication interface A and/or the communication interface B exceeds the preset time or the data exceeds the preset time, closing the first two-out-of-two system and switching to the second two-out-of-two system to work.
Preferably, the first output unit and the second output unit each include a delay circuit, and the delay circuits are configured to delay the signals output by the respective output units.
Preferably, voting functions are set between the first communication unit and the second communication unit, between the first output unit and the second output unit, and between the first acquisition unit and the second acquisition unit, so as to implement real-time voting on input data, output data and/or operation state;
the method for carrying out real-time voting on the input data, the output data and/or the running state comprises the following steps:
carrying out byte modulo two addition operation on the voted data, voting preset times, and if one time is true, the voting is passed; otherwise, jumping into a fault trap, and closing the corresponding communication interface and the output interface.
Preferably, a two-out-of-two unit is formed between the first communication unit and the second communication unit, between the first output unit and the second output unit, and between the first acquisition unit and the second acquisition unit;
each two-out-of-two unit comprises a clock isolation circuit, a data isolation circuit and two sets of symmetrical hardware structures; the clock isolation circuit and the data isolation circuit are arranged between the two sets of hardware structures and are electrically connected with the two sets of hardware structures;
each set of hardware structure comprises an operation CPU, a scheduling FPGA, an independent power supply, an independent interface circuit and a corresponding expansion circuit; the operation CPU is connected with the scheduling FPGA, and the scheduling FPGA is connected with the independent interface circuit; the independent power supply supplies power to the operation CPU, the scheduling FPGA, the independent interface circuit and the corresponding expansion circuit.
Preferably, the switching device comprises a key switch and a mutual exclusion circuit; the key switch is electrically connected with the mutual exclusion circuit;
the switching device receives a condition output power supply output by the first safety power supply and the second safety power supply and main and standby state signals output by the first main control unit to the fourth main control unit; and the master-slave switching device sends the master-slave selection signal output by the key switch and the master-slave selection signal output by the exclusive circuit to the corresponding master control unit.
Preferably, the system redundant power supply comprises a first redundant power supply, a second redundant power supply and a third redundant power supply;
the first redundant power supply supplies power to the first two-out-of-two system, the second redundant power supply supplies power to the cutting device, and the third redundant power supply supplies power to the second two-out-of-two system;
the first, second, and third redundant power supplies are isolated from one another.
Adopt the produced beneficial effect of above-mentioned technical scheme to lie in: the first two-out-of-two system and the second two-out-of-two system comprise completely same software and hardware, are independent in power supply, form a two-by-two redundancy relationship and guarantee the availability and reliability of a target system; moreover, the arrangement of the cutting device can better improve the usability. Furthermore, each two-out-of-two system comprises two processing channels with consistent input, and the output of the two processing channels is output externally through a safety circuit such as a hardware voting module, so that a two-by-two-out-of-two safety structure is formed, and the safety of a target system is guaranteed. Moreover, the control device can meet various application scenes of vehicle-mounted and ground, provide an extensible and safe input and output interface, and provide a service layer interface and a communication channel protocol updating interface for a user.
Drawings
FIG. 1 is a schematic structural view of the present invention;
FIG. 2 is a detailed structural schematic of one embodiment of the present invention;
FIG. 3 is a schematic view of the present invention in connection with a service device and an external device;
FIG. 4 is a schematic diagram of a hardware structure of each binary unit in FIG. 2;
FIG. 5 is a schematic diagram of the two-out-of-two voting process of FIG. 4;
FIG. 6 is a schematic diagram illustrating a process of executing a two-out-of-two unit program in FIG. 4;
fig. 7 is a schematic diagram of the application extension of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, in one embodiment, a control device based on a two-by-two-out-of-two safety redundant system may include a system redundant power supply 100, a first two-out-of-two system 210, a second two-out-of-two system 220, and a tie-down device 300. The system redundancy power supply 100 respectively supplies power to the first binary system 210, the second binary system 220 and the tie-down device 300. The cutting device 300 is connected to the first binary system 210 and the second binary system 220, respectively. The tie-cutting device 300 is provided with three working states of forcing the first binary system 210 to be the main tie, forcing the second binary system 220 to be the main tie and selecting the main tie according to the operating conditions of the two binary systems.
Referring to fig. 2, as an implementation, the first binary system 210 and the second binary system 220 have the same structure, and for convenience of the following description, specific structures of the first binary system 210 and the second binary system 220 are named by different names. The first binary system 210 may include a first secure power source 211, a first main control unit 2121, a second main control unit 2122, a first communication unit 2131, a second communication unit 2132, a first acquisition unit 2151, a second acquisition unit 2152, a first output unit 2141, a second output unit 2142, and a first recording unit 216. The first secure power supply 211 provides independent logic power for the first main control unit 2121, the first communication unit 2131, the first acquisition unit 2151, and the first output unit 2141. The first secure power supply 211 provides independent logic power for the second master control unit 2122, the second communication unit 2132, the second acquisition unit 2152, and the second output unit 2142.
The first master control unit 2121 is in communication connection with the first communication unit 2131, the first acquisition unit 2151, the first output unit 2141, and the first recording unit 216, respectively. Specifically, the first master control unit 2121 may be communicatively connected to the first communication unit 2131, the first acquisition unit 2151, the first output unit 2141, and the first recording unit 216 via the first internal bus 217 in a master-slave mode. The first communication unit 2131, the first acquisition unit 2151, the first output unit 2141, and the first recording unit 216 form a first channel of the first binary system 210, so as to implement a data scheduling process inside the first channel of the first binary system 210. The first channel of the first binary system 210 is the I-system a channel shown in fig. 3.
The second master control unit 2122 is in communication connection with the second communication unit 2132, the second acquisition unit 2152, the second output unit 2142, and the first recording unit 216, respectively. Specifically, the second master control unit 2122 may be communicatively connected to the second communication unit 2132, the second acquisition unit 2152, the second output unit 2142, and the first recording unit 216 via the second internal bus 218 in a master-multi-slave mode. The second communication unit 2132, the second acquisition unit 2152, the second output unit 2142, and the first recording unit 216 form a second channel of the first binary system 210, so as to implement a data scheduling process inside the second channel of the first binary system 210. The second channel of the first binary system 210 is the I-system B channel shown in fig. 3.
Further, referring to fig. 2, the first binary system 210 may further include a communication interface a, a communication interface B, an output interface a, and an acquisition interface a. The communication interface a is connected to the first communication unit 2131. The communication interface B is connected to the second communication unit 2132. The output interface a is connected to the first output unit 2141 and the second output unit 2142. Acquisition interface a is connected to first acquisition unit 2151 and second acquisition unit 2152. The first safety power supply 211 receives dynamic signals output by the first main control unit 2121 and the second main control unit 2122, and supplies power to the communication interface a, the communication interface B, and the output interface a correspondingly as a condition determination signal of the conditional power supply.
Referring to fig. 2, as an implementable embodiment, the second binary system 220 includes a second secure power supply 221, a third main control unit 2221, a fourth main control unit 2222, a third communication unit 2231, a fourth communication unit 2232, a third acquisition unit 2251, a fourth acquisition unit 2252, a third output unit 2241, a fourth output unit 2242, and a second recording unit 226. The second secure power supply 221 provides independent logic power for the third main control unit 2221, the third communication unit 2231, the third collection unit 2251, and the third output unit 2241. The second secure power supply 221 provides independent logic power for the fourth main control unit 2222, the fourth communication unit 2232, the fourth collection unit 2252, and the fourth output unit 2242.
The third main control unit 2221 is communicatively connected to the third communication unit 2231, the third collection unit 2251, the third output unit 2241, and the second recording unit 226, respectively. Specifically, the third master control unit 2221 may be communicatively connected to the third communication unit 2231, the third collection unit 2251, the third output unit 2241, and the second recording unit 226 through the third internal bus 227 in a master-slave mode. The third communication unit 2231, the third collection unit 2251, the third output unit 2241, and the second recording unit 226 form a first channel of the second taking second system 220, so as to implement a data scheduling process inside the first channel of the second taking second system 220. Wherein the first channel of the second binary system 220 is shown in FIG. 3
Is the A channel.
The fourth main control unit 2222 is communicatively connected to the fourth communication unit 2232, the fourth collection unit 2252, the fourth output unit 2242, and the second recording unit 226, respectively. Specifically, the fourth master control unit 2222 may be communicatively connected to the fourth communication unit 2232, the fourth collection unit 2252, the fourth output unit 2242, and the second recording unit 226 through the fourth internal bus 228 in a master-slave mode, respectively. The fourth communication unit 2232, the fourth collection unit 2252, the fourth output unit 2242 and the second recording unit 226 form a second channel of the second-out-of-second system 220, so as to implement a data scheduling process inside the second channel of the second-out-of-second system 220. Wherein the second channel of the second binary system 220 is the channel shown in FIG. 3
Is the B channel.
Further, referring to fig. 2, the second binary extracting system 220 may further include a communication interface C, a communication interface D, an output interface B, and an acquisition interface B. The communication interface C is connected to the third communication unit 2231. The communication interface D is connected to the fourth communication unit 2232. The output interface B is connected with the third output unit 2241 and the fourth output unit 2242. The acquisition interface B is connected to a third acquisition unit 2251 and a fourth acquisition unit 2252. The second safety power supply 221 receives the dynamic signals output by the third main control unit 2221 and the fourth main control unit 2222, and uses the dynamic signals as the condition determination signals of the conditional power supply, and correspondingly supplies power to the communication interface C, the communication interface D, and the output interface B.
In one embodiment, the tie down device 300 may include a key switch and a mutex circuit. The key switch is electrically connected with the mutual exclusion circuit. The switching device 300 receives the conditional output power outputted by the first safety power 211 and the second safety power 221, and the active/standby status signals outputted by the first main control unit 2121 to the fourth main control unit 2222. The system switching device 300 sends the main and standby system selection signals output by the key switch and the main and standby system selection signals output by the mutex circuit to the corresponding main control units.
In this embodiment, the key switch of the contact device 300 can manually or automatically determine that one of the first binary system 210 and the second binary system 220 is the master, and ensure that only one of the first binary system 210 and the second binary system 220 is the master at a certain time. In addition, the master/slave system status information may also be identified by the switching device 300. For example, which of the first binary system 210 and the second binary system 220 is the primary system, the working status information of the primary and secondary systems, and so on.
Further, the first output unit 2141 to the fourth output unit 2242 each include a delay circuit. The delay circuit is used for presetting delay for the signals output by each output unit. After obtaining the close command, each output port does not close the final output within time T0, but reliably closes within time T1. In addition, if the output port of the system is closed to output due to the fault of one binary system, the system is reliably switched to the other binary system to continue outputting within the time T0, and the seamless switching operation is realized.
As an implementable manner, each communication interface can be provided with a time judgment function, a data timestamp function and a dynamic square wave function, data real-time performance is strictly checked, and when data transceiving time or data timeout occurs at any place, the corresponding two-out-of-two system cannot normally operate, the final output is closed, and the operation is switched to the other two-out-of-two system. Specifically, when the transceiving time of the communication interface a and/or the communication interface B exceeds the preset time or the data exceeds the preset time, the first binary system 210 is turned off, and the operation is switched to the second binary system 220. When the transceiving time of the communication interface C and/or the communication interface D exceeds the preset time or the data exceeds the preset time, the second two-out-of-two system 220 is turned off, and the first two-out-of-two system 210 is switched to work.
A voting function is set between the first communication unit 2131 and the second communication unit 2132. A voting function is arranged between the first output unit 2141 and the second output unit 2142. A voting function is set between the first and second acquisition units 2151 and 2152. A voting function is set between the third communication unit 2231 and the fourth communication unit 2232. A voting function is provided between the third output unit 2241 and the fourth output unit 2242. And a voting function is set between the third collection unit 2251 and the fourth collection unit 2252. A voting function is set, and real-time voting can be carried out on input data, output data and/or operation states in each unit.
The method for carrying out real-time voting on input data, output data and/or operation states comprises the following steps: carrying out byte modulo two addition operation on the voted data, voting preset times, and if one time is true, the voting is passed; otherwise, jumping into a fault trap, and closing the corresponding communication interface and the output interface. As shown in fig. 5 and 6, if the data table of a certain processing unit is in no way consistent and exceeds the limit during the operation, the system jumps into a fault trap, closes the corresponding communication interface and output interface, and outputs the maintenance indication information.
Specifically, two-out-of-two units are formed between the first communication unit 2131 and the second communication unit 2132, between the first output unit 2141 and the second output unit 2142, between the first acquisition unit 2151 and the second acquisition unit 2152, between the third communication unit 2231 and the fourth communication unit 2232, between the third output unit 2241 and the fourth output unit 2242, and between the third acquisition unit 2251 and the fourth acquisition unit 2252. All two-out-of-two units are provided with a software communication voting function, and signals of both communication parties are isolated. Namely, software voting functions are set in the periodic operation process of the system, and input data, output data and operation states at the node are voted in real time. Performing byte modulo two addition operation on the voted data, if one time is true after voting for a preset number of times, the voting is passed, and the program can continue to execute the next task; otherwise, jumping into a fault trap, and closing the corresponding communication interface and output interface.
Referring to fig. 4, in one embodiment, each binary unit may include a clock isolation circuit, a data isolation circuit, and two sets of symmetrical hardware structures 10. The clock isolation circuit and the data isolation circuit are arranged between the two sets of hardware structures 10, are electrically connected with the two sets of hardware structures 10, and are used as synchronous operation circuits for channel clock synchronization, data synchronization, task synchronization and the like. Each hardware structure 10 includes an arithmetic CPU 11, a scheduling FPGA 12, an independent power supply 14, an independent interface circuit 13, and a corresponding expansion circuit. The expansion circuits in the hardware structure 10 are different for different units. The operation CPU 11 is connected with the scheduling FPGA 12. The scheduling FPGA 12 is connected to an independent interface circuit 13. The independent power supply 14 supplies power to the operation CPU 11, the scheduling FPGA 12, the independent interface circuit 13 and the corresponding expansion circuit.
Specifically, task synchronization pulses with an interval of 10ms are output by the scheduling FPGA 12 of the channel a, and the pulses are output to the operation CPU 11 of the channel a and the scheduling FPGA 12 of the channel B, respectively. And the scheduling FPGA 12 of the B channel outputs the 10ms task synchronization pulse to the operation CPU 11 of the B channel and the scheduling FPGA 12 of the A channel. At this point, the scheduling FPGA 12 of channel a checks the returned 10ms task sync pulse. A. The operation CPU 11 of the B two channels and the scheduling FPGA 12 of the B channel also check the 10ms task synchronization pulse by using own clocks. A. A failure of either of the B two channel scheduling FPGAs 12 will cause the 10ms task sync pulse to stop and the system task to stop.
In addition, corresponding independent interface circuits 13 can be arranged according to different functional requirements. For example, the independent interface circuit 13 corresponding to the master unit may be configured as an internal communication bus interface. The independent interface circuit 13 of each other type unit CAN be provided with more than one interface of a network card interface, an RS232 interface, a CAN bus interface, an RS422/485 interface, an acquisition interface and an output interface besides the internal bus interface. Of course, other interfaces than the above-mentioned interface may be adjusted in the interface circuit according to the same mode to meet the system requirements.
Referring to fig. 5, all tasks of each CPU and FPGA are set to be performed at the synchronous pulse beat as shown in fig. 5. The synchronization sequence can be divided into four steps: firstly, two channels of each two-out-of-two unit A, B are synchronous, and the A channel synchronization is mainly used; secondly, synchronizing all single boards in the system, and taking synchronization of a main control unit as a main control unit; thirdly, synchronizing the system I and the system II by mainly using a system I main control unit; and fourthly, synchronizing the remote cage and the master cage mainly by synchronizing the master cage.
Referring to FIG. 2, in one embodiment, a system redundant power supply 100 may include a first redundant power supply 110, a second redundant power supply 120, and a third redundant power supply 130. The first redundant power supply 110 supplies power to the first binary system 210. The second redundant power supply 120 provides power to the tie-down device 300 and other non-safety components. The third redundant power supply 130 supplies power to the second binary system 220. The first redundant power supply 110, the second redundant power supply 120, and the third redundant power supply 130 are isolated from each other. In addition, the system redundant power supply 100 may also include power filtering means. The first redundant power supply 110 provides power to the first binary system 210 through a power filter. The second redundant power supply 120 provides power to the second binary system 220 through a power filter. The third redundant power supply 130 provides power to the tie-down device 300 and other devices through the power filter device.
As one possible implementation, the first redundant power supply 110 may include a first redundant power supply a and a first redundant power supply B. The second redundant power supply 120 may include a second redundant power supply a and a second redundant power supply B. The third redundant power supply 130 may include a third redundant power supply a and a third redundant power supply B. The inputs of each set of redundant power supplies are AC220V AC power, and the first redundant power supply 110 outputs DC24V DC power to power the first binary system 210. The second redundant power supply 120 outputs DC24V direct current to power the tie-down device 300 and other non-safety components. The third redundant power supply 130 outputs DC24V DC power to power the second binary system 210.
Referring to fig. 3, when the control device based on the two-by-two-out-of-two safety redundant system is used, the control device based on the two-by-two-out-of-two safety redundant system is connected to the maintenance equipment 400 and the external equipment 500. When connected to the maintenance device 400, the maintenance device 400 communicates with the first main control unit 2121, the second main control unit 2122, the third main control unit 2221, and the fourth main control unit 2222 through the process redundancy ethernet, respectively.
When the control device of the two-by-two safety redundancy system acquires the switch state of the external device 500, the first acquisition unit 2151, the second acquisition unit 2152, the third acquisition unit 2251, and the fourth acquisition unit 2252 may be connected to the state contacts of the external device 500, respectively. It is also possible to cause the first and second acquisition units 2151 and 2152 to acquire one set of status contacts of the external device 500 and to cause the third and fourth acquisition units 2251 and 2252 to acquire another set of status contacts of the external device 500 representing the same information, which can eliminate the cause of malfunction due to damage to external wiring.
When the control device of the two-by-two-out-of-two safety redundant system drives the switching value output, the first output unit 2141, the second output unit 2142, the third output unit 2241, and the second output unit 2242 output the interface a and the output interface B, respectively. The output interface a is obtained by the hardware voting unit from the switching value signals output by the first output unit 2141 and the second output unit 2142. The output interface B is obtained by the switching value signals output by the third output unit 2241 and the second output unit 2242 through a hardware voting unit. The two output interfaces are provided with one-way output functions, and can be set into two-way driving or one-way driving according to the requirements of driven equipment. If the output interface A and the output interface B are set to be driven in one path, the positive ends of the output interface A and the output interface B can be in short circuit, and the negative ends of the output interface A and the output interface B can be in short circuit, so that a new output port is formed.
When the control device based on the two-by-two-out-of-two safety redundancy system establishes communication connection with the external device 500, the control device based on the two-by-two-out-of-two safety redundancy system can be configured to be in communication cross connection or direct connection with the external device 500. The external communication devices supported must be either a two-by-two or two-out-of-two security system configuration. When a certain series of external devices 500 fails, the normal function of the control device based on the two-by-two-out-of-two safety redundant system is not affected.
Because the application CPUs of the control device based on the two-by-two-out-of-two safety redundant system are respectively arranged in four groups of independent main control units, the four groups of CPUs are all used for carrying out service operation synchronously in real time, and the maintenance equipment 400 is used for respectively recording the logic input, the processing process and the logic output of the four groups of CPUs.
Further, the first master control unit 2121 and the third master control unit 2221 are provided with high-speed communication channels, and the second master control unit 2122 and the fourth master control unit 2222 are provided with high-speed communication channels. Two independent interaction I systems and two independent interaction II systems take two input and output data and state data, internal data sharing of the two-generation system is achieved, and when one system cannot work normally due to faults, the system is seamlessly switched to the other system to continue to operate and output data.
The control device based on the two-by-two-out-of-two safety redundancy system is suitable for various vehicle-mounted and ground application environments. According to different application environments, different communication interface numbers, acquisition interface numbers and output interface numbers can be configured, and corresponding module virtual interfaces are also arranged in the main control unit. A19-inch cage with an electromagnetic shielding function is adopted, and the unit single plates in the figure 2 are symmetrically arranged in the cage. If the number of interfaces of a 19-inch cage cannot meet the number requirement of a certain application scene, the device and the system are expanded by taking the cage as a unit, as shown in fig. 7. The cage with the service program processing function is the master control cage 600, and the other cages without the service program processing function are the remote cages 700. In physical configuration, the two-out-of-two systems are respectively disposed on the left and right sides of the master control cage 600. Except that the positions of the safety power supply unit, the recording unit and the switching device are fixed, other unit board cards can be flexibly configured. The remote cage 700 is basically consistent with the master cage 600, a safety power supply and a master control unit are required to be arranged, a communication unit, an acquisition unit and an output unit are configured according to requirements, the master control unit does not have a logic software processing function, and only takes charge of safety management of the cage, internal data scheduling and data transceiving work of a communication interface of the cage and the master control cage. The distal cage 700 is also not provided with a tether. The remote cage 700 and the master cage 600 perform data transmission through ethernet communication, and configure a two-by-two secure computer system as an optical fiber ring network device in a switch topology network interface manner, so as to implement multi-node acquisition and output functions in a huge system.
After the data of the remote cage 700 is acquired, the data is sent to the main control unit of the cage through the processes of packaging and protocol, and then all the single board data are integrated into a standard frame through the main control unit and sent to the communication unit of the main control cage 600. The communication unit of the master cage 600 sends the obtained data of each remote cage 700 to the master unit of the master cage 600 according to a fixed protocol process.
After the master cage 600 obtains the output data through the service function processing, the output data is sent to the communication unit according to the fixed protocol process, and the communication unit distributes the output data packet to the master unit of each remote cage 700. And after the main control unit of the remote cage 700 analyzes the output data of the cage, the data is sent to each output unit of the cage according to a fixed protocol process, and the output units vote and output through the hardware voting module.
In the process of data receiving and sending, a two-out-of-two mode needs to be installed to vote data through any single board link, and the data passing through the voting is transmitted to the next stage, as shown in fig. 5. If the data of a certain link is overtime or inconsistent, the device and the system cut off the link data and continue working by the other link data.
In addition, the power output condition of each safety power supply in the master control cage 600 is that both the two channel CPUs of the master control unit output normal dynamic square wave signals, as shown in fig. 5. The power output condition of each safety power supply in the remote cage 700 is that both the two-channel CPUs of the main control unit of the local cage output normal dynamic square wave signals, and each safety power supply of the remote cage 700 is also controlled by the safety power supply of the main control cage 600. If the input condition of the safety power supply in the master control cage 600 is not satisfied or the safety power supply itself fails, all the safety power supply boards of the two-out-of-two system where the safety power supply is located will stop supplying power, and all the output interfaces and the communication interfaces of the system will be closed.
The control device based on the two-by-two-out-of-two safety redundancy system, the first two-out-of-two system 210 and the second two-out-of-two system 220 comprise completely identical software and hardware, are independent in power supply, form a two-by-two redundancy relationship, and guarantee the availability and reliability of a target system; moreover, the arrangement of the tying device 300 can improve usability. Furthermore, each two-out-of-two system comprises two processing channels with consistent input, and the output of the two processing channels is output externally through a safety circuit such as a hardware voting module, so that a two-by-two-out-of-two safety structure is formed, and the safety of a target system is guaranteed. Moreover, the control device can meet various application scenes of vehicle-mounted and ground, provide an extensible and safe input and output interface, and provide a service layer interface and a communication channel protocol updating interface for a user.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (9)
1. A control device based on a two-by-two-out-of-two safety redundancy system is characterized by comprising a first two-out-of-two system, a second two-out-of-two system, a system redundancy power supply and a system switching device;
the system redundant power supply supplies power to the first two-out-of-two system, the second two-out-of-two system and the cutting device;
the system switching device can switch the running conditions of the first two-out-of-two system and the second two-out-of-two system;
the first two-out-of-two system and the second two-out-of-two system are identical in structure, and the first two-out-of-two system comprises a first safety power supply, a first main control unit, a second main control unit, a first communication unit, a second communication unit, a first acquisition unit, a second acquisition unit, a first output unit, a second output unit and a first recording unit;
the first safety power supply provides independent logic power supplies for the first main control unit, the first communication unit, the first acquisition unit and the first output unit; the first safety power supply provides independent logic power supplies for the second main control unit, the second communication unit, the second acquisition unit and the second output unit;
the first main control unit is respectively in communication connection with the first communication unit, the first acquisition unit, the first output unit and the first recording unit; the first communication unit, the first acquisition unit, the first output unit and the first recording unit form a first channel of the first binary system;
the second main control unit is respectively in communication connection with the second communication unit, the second acquisition unit, the second output unit and the first recording unit; the second communication unit, the second acquisition unit, the second output unit and the first recording unit form a second channel of the first binary system;
voting functions are set between the first communication unit and the second communication unit, between the first output unit and the second output unit and between the first acquisition unit and the second acquisition unit, real-time voting is carried out on data of each unit, and if data of a certain unit are inconsistent, the current two-out-of-two system is cut off and switched to the other two-out-of-two system to work;
the first two-out-of-two system further comprises a communication interface A and a communication interface B, wherein the communication interface A is connected with the first communication unit, and the communication interface B is connected with the second communication unit; the second fetching system also comprises a communication interface C and a communication interface D, wherein the communication interface C is connected with a third communication unit in the second fetching system, and the communication interface D is connected with a fourth communication unit in the second fetching system; a time judgment function, a data timestamp function and a dynamic square wave function are set in each communication interface, and when the transceiving time of the communication interface A and/or the communication interface B exceeds the preset time or the data exceeds the preset time, the first two-out-of-two system is closed and switched to the second two-out-of-two system to work; and when the transceiving time of the communication interface C and/or the communication interface D exceeds the preset time or the data exceeds the preset time, closing the second two-out-of-two system and switching to the first two-out-of-two system to work.
2. The apparatus according to claim 1, wherein the switching is automatic switching, that is, the master system is automatically selected according to the operating conditions of the two binary systems.
3. The control device based on the two-by-two-out-of-two safety redundancy system according to claim 1, further comprising a communication interface A, a communication interface B, an output interface A and a collection interface A;
the communication interface A is connected with the first communication unit; the communication interface B is connected with the second communication unit; the output interface A is connected with the first output unit and the second output unit; the acquisition interface A is connected with the first acquisition unit and the second acquisition unit.
4. The control device according to claim 3, wherein the first safety power supply receives the dynamic signals output by the first master control unit and the second master control unit, and correspondingly supplies power to the communication interface A, the communication interface B and the output interface A;
and when the transceiving time of the communication interface A and/or the communication interface B exceeds the preset time or the data exceeds the preset time, closing the first two-out-of-two system and switching to the second two-out-of-two system to work.
5. The control apparatus of claim 1, wherein the first output unit and the second output unit each comprise a delay circuit for delaying the signal output by each output unit.
6. The control device based on the two-by-two-out-of-two safety redundancy system as claimed in claim 1, wherein voting functions are respectively arranged between the first communication unit and the second communication unit, between the first output unit and the second output unit, and between the first acquisition unit and the second acquisition unit, and real-time voting is carried out on input data, output data and/or operation states;
the method for carrying out real-time voting on the input data, the output data and/or the running state comprises the following steps:
carrying out byte modulo two addition operation on the voted data, voting preset times, and if one time is true, the voting is passed; otherwise, jumping into a fault trap, and closing the corresponding communication interface and the output interface.
7. The control device based on the two-by-two-out safety redundancy system according to claim 1, wherein one two-out-of-two unit is formed between the first communication unit and the second communication unit, between the first output unit and the second output unit, and between the first acquisition unit and the second acquisition unit;
each two-out-of-two unit comprises a clock isolation circuit, a data isolation circuit and two sets of symmetrical hardware structures; the clock isolation circuit and the data isolation circuit are arranged between the two sets of hardware structures and are electrically connected with the two sets of hardware structures;
each set of hardware structure comprises an operation CPU, a scheduling FPGA, an independent power supply, an independent interface circuit and a corresponding expansion circuit; the operation CPU is connected with the scheduling FPGA, and the scheduling FPGA is connected with the independent interface circuit; the independent power supply supplies power to the operation CPU, the scheduling FPGA, the independent interface circuit and the corresponding expansion circuit.
8. The control device based on two-by-two safe redundant system as claimed in claim 2, wherein the switching device comprises a key switch and a mutual exclusion circuit; the key switch is electrically connected with the mutual exclusion circuit;
the system switching device receives a condition output power output by a first safety power supply and a second safety power supply in a second secondary-taking system and main and standby state signals output by four main control units; and the master-slave switching device sends the master-slave selection signal output by the key switch and the master-slave selection signal output by the exclusive circuit to the corresponding master control unit.
9. The two-by-two-out-of-two safety redundant system-based control device according to any one of claims 1 to 8, wherein the system redundant power supplies comprise a first redundant power supply, a second redundant power supply and a third redundant power supply;
the first redundant power supply supplies power to the first two-out-of-two system, the second redundant power supply supplies power to the cutting device, and the third redundant power supply supplies power to the second two-out-of-two system;
the first, second, and third redundant power supplies are isolated from one another.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610287247.5A CN105739299B (en) | 2016-04-29 | 2016-04-29 | Control device based on two-by-two-out-of-two safety redundancy system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610287247.5A CN105739299B (en) | 2016-04-29 | 2016-04-29 | Control device based on two-by-two-out-of-two safety redundancy system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105739299A CN105739299A (en) | 2016-07-06 |
| CN105739299B true CN105739299B (en) | 2020-01-07 |
Family
ID=56287945
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610287247.5A Active CN105739299B (en) | 2016-04-29 | 2016-04-29 | Control device based on two-by-two-out-of-two safety redundancy system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105739299B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108238065B (en) * | 2016-12-23 | 2020-06-19 | 比亚迪股份有限公司 | Computer platform based on rail transit |
| CN107748727B (en) * | 2017-09-25 | 2020-05-29 | 上海卫星工程研究所 | High-reliability cross redundancy serial communication interface for spacecraft and use method thereof |
| CN107992752B (en) * | 2017-10-18 | 2020-05-22 | 北京全路通信信号研究设计院集团有限公司 | Data processing method and device and computer equipment |
| CN107967194B (en) * | 2017-10-19 | 2020-09-29 | 北京全路通信信号研究设计院集团有限公司 | Safety computer system based on redundant Ethernet |
| CN108082219B (en) * | 2017-11-10 | 2021-01-22 | 北京全路通信信号研究设计院集团有限公司 | 2-by-2-out-of-2 redundant structure data processing method |
| CN109032021B (en) * | 2018-08-07 | 2021-06-18 | 中国航空工业集团公司雷华电子技术研究所 | Use method of redundant double-MCU hot backup control system |
| CN109739693B (en) * | 2018-12-13 | 2022-06-24 | 上海航天控制技术研究所 | Arbitration voting system and voting method for docking mechanism of cargo ship |
| CN109739568B (en) * | 2018-12-19 | 2021-12-21 | 卡斯柯信号有限公司 | Security platform starting method based on 2-by-2-out-of-2 architecture |
| CN109774489B (en) * | 2019-01-17 | 2020-11-27 | 同济大学 | Two-by-two-out-of-two redundant maglev train suspension sensor and control method |
| CN110095978A (en) * | 2019-05-06 | 2019-08-06 | 杭州耘新科技有限公司 | One kind 2 multiplies 2 and takes 2 systems and its security diagnostics method |
| CN110361979B (en) * | 2019-07-19 | 2022-08-16 | 北京交大思诺科技股份有限公司 | Safety computer platform in railway signal field |
| CN110376876B (en) * | 2019-07-19 | 2022-09-23 | 北京交大思诺科技股份有限公司 | Double-system synchronous safety computer platform |
| CN110351174B (en) * | 2019-07-19 | 2021-11-12 | 北京交大思诺科技股份有限公司 | Module redundancy safety computer platform |
| CN110554978B (en) * | 2019-08-30 | 2022-02-15 | 北京交大思诺科技股份有限公司 | Safety computer platform realized by universal I/O module |
| CN110758489A (en) * | 2019-11-13 | 2020-02-07 | 通号城市轨道交通技术有限公司 | Automatic protection system of train |
| CN111459544B (en) * | 2020-03-03 | 2022-10-28 | 北京和利时系统工程有限公司 | Method, medium and device for voting multi-pair thread data in secure computer board card |
| CN111405047B (en) * | 2020-03-19 | 2023-04-07 | 北京永列科技有限公司 | Method for realizing two-by-two-out-of-two axle counting communication interface switching |
| CN111474878B (en) * | 2020-04-07 | 2021-07-13 | 张根兵 | Electric drive vehicle control delay optimization method based on traversal cycle and electronic equipment |
| CN112395236A (en) * | 2020-11-13 | 2021-02-23 | 中车株洲电力机车有限公司 | Distributed vehicle-mounted safety computer system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102945221A (en) * | 2012-10-18 | 2013-02-27 | 上海亨钧科技有限公司 | Full-electronic security computer interlocking system |
| CN103678031A (en) * | 2012-09-10 | 2014-03-26 | 西门子信号有限公司 | Double 2-vote-2 redundant system and method |
| CN105159863A (en) * | 2015-09-09 | 2015-12-16 | 株洲南车时代电气股份有限公司 | Secure computer platform used for rail transit |
| CN204990103U (en) * | 2015-09-17 | 2016-01-20 | 滨州学院 | Novel two take advantage of two to get two trusted computer system |
| CN205186190U (en) * | 2015-10-10 | 2016-04-27 | 河南思维自动化设备股份有限公司 | Redundant main computer unit of LKJ system |
| CN205656443U (en) * | 2016-04-29 | 2016-10-19 | 固安信通信号技术股份有限公司 | Controlling means based on two take advantage of two to get two safe redundant systems |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ITSV20020018A1 (en) * | 2002-05-03 | 2003-11-03 | Alstom Transp Spa | DEVICE FOR PROCESSING OR COMMAND OPERATING IN INTRINSICALLY SAFE |
-
2016
- 2016-04-29 CN CN201610287247.5A patent/CN105739299B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678031A (en) * | 2012-09-10 | 2014-03-26 | 西门子信号有限公司 | Double 2-vote-2 redundant system and method |
| CN102945221A (en) * | 2012-10-18 | 2013-02-27 | 上海亨钧科技有限公司 | Full-electronic security computer interlocking system |
| CN105159863A (en) * | 2015-09-09 | 2015-12-16 | 株洲南车时代电气股份有限公司 | Secure computer platform used for rail transit |
| CN204990103U (en) * | 2015-09-17 | 2016-01-20 | 滨州学院 | Novel two take advantage of two to get two trusted computer system |
| CN205186190U (en) * | 2015-10-10 | 2016-04-27 | 河南思维自动化设备股份有限公司 | Redundant main computer unit of LKJ system |
| CN205656443U (en) * | 2016-04-29 | 2016-10-19 | 固安信通信号技术股份有限公司 | Controlling means based on two take advantage of two to get two safe redundant systems |
Non-Patent Citations (1)
| Title |
|---|
| 一种新型二乘二取二安全计算机的设计和实现;郭庆;《中国优秀硕士学位论文全文数据库》;20120731;7,8,10-14,17-18,35-40,42-46,51-53,57-60 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105739299A (en) | 2016-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105739299B (en) | Control device based on two-by-two-out-of-two safety redundancy system | |
| CN110361979B (en) | Safety computer platform in railway signal field | |
| US10296685B2 (en) | Failure logic modeling method for a high-speed railway train operation control on-board system | |
| CN102713773B (en) | For the security module of automation equipment | |
| CN110376876B (en) | Double-system synchronous safety computer platform | |
| CN205068381U (en) | A secure computer platform for track traffic | |
| CN104516306B (en) | The automated system of redundancy | |
| CN110351174A (en) | A kind of safety computer platform of module redundancy | |
| CN102866690A (en) | Redundancy switching method among redundancy process control stations in distributed control system | |
| CN105244065B (en) | A kind of nuclear power station DCS control station frameworks based on FPGA technology | |
| CN102830647A (en) | Double 2-vote-2 device for fail safety | |
| CN105681131B (en) | Main preparation system and its parallel output method | |
| CN202110281U (en) | Automatic recombination structure of hollow pipe primary radar apparatus | |
| CN109062028A (en) | A kind of redundance control system of flight control computer | |
| CN103472782B (en) | A kind of distributed time sequence trigger control system | |
| CN106201971A (en) | A kind of railway signal safety computer platform based on bus synchronous verification | |
| CN205656443U (en) | Controlling means based on two take advantage of two to get two safe redundant systems | |
| CN110392009A (en) | Multi-inverter parallel carrier synchronization device and its synchronous method with redundancy feature | |
| CN103885421A (en) | Standard bus controller | |
| CN102760504A (en) | Digital control system for all plant units in nuclear power station and non-nuclear-grade control system and method | |
| CN102957565A (en) | Method and device for processing conflicts of plurality of main equipment | |
| CN107563075B (en) | Method for realizing CosiMate network and DDS network interconnection | |
| CN205427464U (en) | But redundant redundant control system of automatic recovery | |
| CN103744755A (en) | Implement system for primary and standby veneer single port shared protection and method thereof | |
| CN210442679U (en) | Air brake control system based on PLC and data bus technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |